1/16/2013

Playing with QoffeeSIP: SIP over websocket scanner

Some weeks ago we published QoffeeSIP, the Javascript SIP over websockets stack which we use to develop our WebRTC products in Quobis. An example is IdentityCall, a system designed to provide call authentication in traditional VoIP and IMS environments. Now it achieves the same goal in WebRTC ones, interconnecting them at the same time with PSTN network.Today I’m showing a different case of use that those proposed in examples (the "simplest-example" and a "webphone"). I’m going to write a simple (but for sure the first one in the world ;) SIP over websockets server scanner. It should send a valid SIP (over websockets) petition, parse the interesting info from the response ( i.e. "User-Agent") and print it. I’m using the simplest example as basis, here there are the description of the changes I made on the code:- In this case no HTML video tags are provided to the constructor. The reason is that we are only using websocket features of the stack, not WebRTC ones.- Some stuff deleted from the interface in order to ask only for needed parameters (ip address, port and optionally the extension used to made the registration).- Media parts were also deleted from script.coffee file, which defines the logic of the app.- Obviously we need to change this logic so I added some code at the end. In this case we are saying that when states 2 (Registering after challenge) or 3 (Registered) are reached, received message is going to be parsed.- Then strings "User-Agent", "Server" and "Organization" are parsed from this response and printed. Really we are getting it from an object with the property "frame".- Finally, makefile is modified in order to generate the output with the correct name.

I have committed this example to QoffeeSIP examples of use, so you can download and use it as explained is QuickStart guide of the project. The command "make build" (or simply "make") is going to put the output files in "dist" folder. Then you only have to move them to an HTTP server, like Apache. You could follow next steps:

- Confirm you have installed coffeeScript and Jade in your system, if not you can use npm to install them ("coffee-script" and "jade").

- Copy them to your Apache server:sudo cp -R dist/* /var/wwwHere there are a few shoots:

Scanner setup

Scanning IdentityCall server

Scanning Kamailio

In a real tool, for best results, we should make some improvements like these:

- Use OPTIONS packets because of being more accurate for this target.

- Add support to ranges of ip addresses.- Avoid asking for approval to use webcam and/or micro. Really it is not used but it’s a limitation of the stack. We decided to do this request during registering instead of during a call because of usability issues.- Use Bootstrap to get a more friendly interface.But this is only a proof of concept so I think it is good enough for now. The target of this post is to show a different way of playing with the stack. Anyway I’m going to add support for websockets to my SIP Metasploit modules in any moment if you are interested in more professional tools.In the same way, if you were interested in a more complex application you can visit the online demo which implements "webphone" example of use. So you can play with it too, if you need help you can always open an issue on Github repository.